Lawsuit Claims Headphones Maker Bose Is Secretly Collecting User Data

A lawsuit filed in Chicago, Illinois alleges that Bose, a US-based maker of high-tech headphones and speakers, has been collecting user data without consent, and sending the information to a third-party data mining company.

The lawsuit, filed on Friday, last week, lists only one plaintiff, a man named Kyle Zak, who is seeking a jury trial and a class-action status, which means other Bose customers would be able to join and ask for damages if the court approves it.

Zak and his lawyer didn't specify the exact amount of damages they are seeking but said "the amount in controversy exceeds $5,000,000," excluding other judicial and litigation costs.

Data collection occurred via Bose Connect mobile app

According to a copy of the complaint obtained by Bleeping Computer, Zak claims that Bose has used its mobile application, named Bose Connect, to collect data on users.

The lawsuit alleges that Bose gathered data such as a list of audio files and audio streams the user has listened to, the files he played back multiple times, and which songs the user skipped.

This information was then paired with registration data the Bose Connect app collected during installation, such as the user's name, email address, and the serial numbers of the user's Bose products.

Bose didn't inform users of data collection

Zak filed this lawsuit because the Bose Connect app was never advertised as a media player app, but an application that grants access to extra settings for Bose products, such as noise cancellation settings and the Auto-Off feature that saves battery life.

For all intent and purpose, the app should not have accessed a list of files the user was playing. Furthermore, the app never informed Bose customers of its intention to collect any information on their music listening habits. Zak now claims that Bose broke both privacy and wiretapping laws by collecting this data without user authorization.

Bose, who sells very pricey high-end headphones and speakers, has been pushing this app with all its newer products. The lawsuit specifically mentions products such as QuietComfort 35, SoundSport Wireless, Sound Sport Pulse Wireless, QuietControl 30, SoundLink Around-Ear Wireless Headphones II, and SoundLink Color II, meaning users of these Bose devices could file a claim in the class-action lawsuit if a judge approves it.

The lawsuit also claims that Bose has transmitted such data to a third-party company called Segment.io, LLC, based in San Francisco, and specialized in data mining for advertising companies.

Collected data reveals personal details about the Bose users

Zak argues Bose broke privacy laws because the data the company collected can be used to infer "an incredible amount of insight into his or her personality, behavior, political views, and personal identity."

In fact, numerous scientific studies show that musical preferences reflect explicit characteristics such as age, personality, and values, and can likely even be used to identify people with autism spectrum conditions. And that’s just a small sampling of what can be learned from one’s music preferences. When it comes other types of audio tracks, the personality, values, likes, dislikes, and preferences of the listener are more self-evident. For example, a person that listens to Muslim prayer services through his headphones or speakers is very likely a Muslim, a person that listens to the Ashamed, Confused, And In the Closet Podcast is very likely a homosexual in need of a support system, and a person that listens to The Body’s HIV/AIDS Podcast is very likely an individual that has been diagnosed and is living with HIV or AIDS. None of Defendant’s customers could have ever anticipated that these types of music and audio selections would be recorded and sent to, of all people, a third party data miner for analysis.

The lawsuit also seeks an injunction that would stop Bose from collecting further user data.

Bose did not respond to a request for comment from Bleeping Computer in time for this article's publication.

Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page.